feat: add timezone validation to prevent SQL injection

Add isValidTimeZone() utility function to validate timezone strings
before using them in SQL queries. The function ensures only safe
characters are allowed in timezone names.

Security improvements:
- Validate timezone strings against safe character regex
- Reject strings with SQL injection patterns
- Support all valid IANA timezone formats
- Length limits and empty string checks

This prevents potential SQL injection in the SET TIME ZONE command
while maintaining compatibility with all legitimate timezone values.

Author: mgcrea

src/utils/time.ts

@@ -7,3 +7,15 @@ export const calculateDelay = (attempts: number): number =>
   Math.min(1000 * Math.pow(2, Math.max(1, attempts)) + Math.random() * 100, Math.pow(2, 31) - 1);
 
 export const getCurrentTimeZone = (): string => Intl.DateTimeFormat().resolvedOptions().timeZone;
+
+/**
+ * Validates that a timezone string is safe to use in SQL.
+ * PostgreSQL timezone names should only contain alphanumeric characters, underscores, slashes, plus, and minus.
+ * @param timezone - The timezone string to validate
+ * @returns true if the timezone is safe
+ */
+export const isValidTimeZone = (timezone: string): boolean => {
+  // Allow only safe characters: alphanumeric, underscore, slash, plus, minus, and colon
+  // This matches valid IANA timezone names like "America/New_York", "UTC", "GMT+8", etc.
+  return /^[a-zA-Z0-9_/+:-]+$/.test(timezone) && timezone.length > 0 && timezone.length < 100;
+};